[Discuss] Is open source more secure at the current level of AI?

[markw at mohawksoft.com]

> On Thu, 9 Apr 2026 18:37:47 -0400
> markw at mohawksoft.com wrote:
>
>> Trust me, I've been in the industry for over 4 decades. Any company
>> that puts the effort into scanning their source also will scan the
>> open source. This has been common practice for well over a decade. I
>> have personally managed CVE detection and mitigation in two companies.
>
> There's even a sub-industry specializing in this. We use three
> different vendors' (that I know of, there might be more that the
> release group uses that I'm not aware of) systems to scan EVERYTHING we
> pull in from outside, EVERYTHING we run, EVERYTHING we write
> internally, EVERYTHING we build, and EVERYTHING we ship to our
> customers.

This is exactly what I was saying. The assertion that "closed source" is
more secure doesn't make sense. If a company uses what ever methods to
scan their closed source, they also used these same methods for the open
source that they use. It is only logical that the open source would face
far more scrutiny than the closed source because multiple entities are
scanning and examining the software.

>
> We sign everything we ship with a dedicated security appliance. Our
> customers can be confident that nothing has been tampered with after it
> leaves our network. And if developers forget to sign their test builds?
> Or they try to pull in things that aren't authorized? One of those
> security systems will kill it and quarantine it. If it isn't validated
> and signed then it does not run.
>

Before my previous company was bought by google, we were in the process of
rebuilding every single open source package we use and signing them with
our own keys. The process of rebuilding also included scanning for
vulnerabilities. Today, we would be incorporating one of the LLMs as pert
of that process as well.